UK General Data Protection Regulation (UK GDPR)

Contractual clauses for international data transfer

Guide

The most common method of complying with the data transfer requirements under the General Data Protection Regulation is the use of Standard Contractual Clauses (SCCs). SCCs make the data transfer between two businesses subject to a legally binding agreement guaranteeing the rights of individuals whose personal data is being transferred.

SCCs for restricted transfers from the EU

In June 2021, the European Commission adopted new Standard Contractual Clauses which are used to provide safeguards for restricted transfers of personal data from the EU. These were not valid for restricted transfers under the UK GDPR. UK data transfers continued to rely on the older EU SCCs until new UK-specific transfer mechanisms were put in place.

Restricted data transfers from the UK

As of 21 March 2022, businesses subject to the UK General Data Protection Regulation can use new UK equivalents in place of the SCCs for international transfers. These are:

  • International Data Transfer Agreement (IDTA) – most likely to be used for transfers of personal data to a single country
  • Addendum to the EU SCCs – most likely to be used for transfers involving EU data

The IDTA and the Addendum take into account the data protection concerns raised by the Schrems II case, and require data exporters to carry out a risk assessment before making the transfer to ensure that it is adequately protected.

International Data Transfer Agreement and guidance

The IDTA, the Addendum and a document setting out transitional provisions came into force on 21 March 2022. Exporters are now able to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers to third countries, such as the United States.

The IDTA operates on a standalone basis and is substantially similar to the new EU SCCs. The Addendum on the other hand operates in conjunction with the new SCCs by amending them to allow for their use for transfers from the UK.

Find more information on the IDTA and the Addendum.

Transition period for using the IDTA and the Addendum 

The Information Commissioner's Office (ICO) has introduced a grace period for implementing the UK's IDTA and Addendum. You may continue to enter into new contracts on the basis of the old EU SCCs until 21 September 2022. You can access the ICO's versions of these SCCs templates here:

All contracts on the basis of the old EU SCCs will continue to provide 'appropriate safeguards' for the purpose of UK GDPR until 21 March 2024.

From that date, if your restricted transfers continue, you must enter into a contract on the basis of the IDTA or the Addendum, or find another way to make the restricted transfer under the UK GDPR.

    Contractual clauses are most likely to be appropriate for small and medium-sized businesses. If you are part of a multinational group of companies, and receiving data from within that group, you may not need contractual clauses if approved Binding Corporate Rules are in place. Find out about other mechanisms for restricted transfers of personal data.

    This guide does not constitute legal advice and is provided for general information purposes only.